We performed a comparison between SonarQube and Checkmarx based on our users’ reviews in four categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Both solutions have intuitive interfaces and are easy to use. However, Checkmarx offers a more comprehensive feature set, including software composition scanning and a higher number of vulnerabilities detected. Checkmarx also provides better language support and more advanced reporting capabilities. SonarQube has a simpler pricing model and is generally considered more affordable. SonarQube focuses strongly on code quality and offers better integration with DevOps pipelines. The customer service and support experiences for both products vary, with some users praising the support and others reporting negative experiences.
"The feature that I have found most valuable is that its number of false positives is less than the other security application platforms. Its ease of use is another good feature. It also supports most of the languages."
"The product's most valuable feature is static code and supply chain effect analysis. It provides a lot of visibility."
"The main advantage of this solution is its centralized reporting functionality, which lets us track issues, then see and report on the priorities via a web portal."
"What I like best about Checkmarx is that it has fewer false positives than other products, giving you better results."
"Most valuable features include: ease of use, dashboard. interface and the ability to report."
"The UI is user-friendly."
"The most valuable feature is the application tracking reporting."
"The user interface is modern and nice to use."
"We have the software metrics that SonarQube gives us, which is something we did not have before. This helps us work towards aiming coding standards to empower us to move in the direction of better code quality. SonarQube provides targets and metrics for that."
"Improve the code coverage and evaluates the technical steps and percentage of code being resolved."
"Some of the most valuable features have been the latest up-to-date of the OWASP, the monitoring, the reporting, and the ease of use with the IDE plugins, in terms of integration."
"With SonarQube's web interface, it is easy to drill down to see the individual problems, but also to look at the project from above and get the big picture, with possible larger problem areas."
"The most valuable feature of this solution is that it is free."
"The integrations SonarQube provides with our software delivery pipeline are very seamless."
"We have worked with the support from SonarQube and we have had good experiences."
"The most valuable features are the wide array of languages, multiple languages per project, the breakdown of bugs, and the description of vulnerabilities and code smells (best practices)."
"Checkmarx has a slightly difficult compilation with the CI/CD pipeline."
"We would like to be able to run scans from our local system, rather than having to always connect to the product server, which is a longer process."
"It provides us with quite a handful of false positive issues. If Checkmarx could reduce this number, it would be a great tool to use."
"The interactive application security testing, or IAST, the interactive part where you're looking at an application that lives in a runtime environment on a server or virtual machine, needs improvement."
"The tool is currently quite static in terms of finding security vulnerabilities. It would be great if it was more dynamic and we had even more tools at our disposal to keep us safe. It would help if there was more scanning or if the process was more automated."
"We are trying to find out if there is a way to identify the run-time null values. I am analyzing different tools to check if there is any tool that supports run-time null value identification, but I don't think any of the tools in the market currently supports this feature. It would be helpful if Checkmarx can identify and throw an exception for a null value at the run time. It would make things a lot easier if there is a way for Checkmarx to identify nullable fields or hard-coded values in the code. The accessibility for customized Checkmarx rules is currently limited and should be improved. In addition, it would be great if Checkmarx can do static code and dynamic code validation. It does a lot of security-related scanning, and it should also do static code and dynamic code validation. Currently, for security-related validation, we are using Checkmarx, and for static code and dynamic code validation, we are using some other tools. We are spending money on different tools. We can pay a little extra money and use Checkmarx for everything."
"The product can be improved by continuing to expand the application languages and frameworks that can be scanned for vulnerabilities. This includes expanded coverage for mobile applications as well as open-source development tools."
"Its user interface could be improved and made more friendly."
"Technical support and the price could be better."
"There needs to be a shareable reporting piece or something we can click and generate easily."
"The product's pricing could be lower."
"It should be user-friendly."
"We previously experienced issues with security but a segregated security violation has been implemented and the issues we experienced are being fixed."
"The security in SonarQube could be better."
"SonarQube's detail in the security could be improved. It may be helpful to have additional details, with regards to Oracle PL/SQL. For example, it's neither as built nor as thorough as Java. For now, this is the only additional feature I would like to see."
"The solution could improve the management reports by making them easier to understand for the technical team that needs to review them."
Checkmarx One is ranked 3rd in Application Security Tools with 67 reviews while SonarQube is ranked 1st in Application Security Tools with 110 reviews. Checkmarx One is rated 7.6, while SonarQube is rated 8.0. The top reviewer of Checkmarx One writes "The report function is a great, configurable asset but sometimes yields false positives". On the other hand, the top reviewer of SonarQube writes "Easy to integrate and has a plug-in that supports both C and C++ languages". Checkmarx One is most compared with Veracode, Fortify on Demand, Snyk, Coverity and Mend.io, whereas SonarQube is most compared with SonarCloud, Coverity, Veracode, Snyk and Sonatype Lifecycle. See our Checkmarx One vs. SonarQube report.
See our list of best Application Security Tools vendors and best Application Security Testing (AST) vendors.
We monitor all Application Security Tools reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
SonarQube depends on completely what you configure the Rules. You will have the option of the Profile creation and can be assigned to the Projects. If you configure the project --> under them services configuration it is good to go. Proper configuration is important in the Sonat Qube. Yes, Sonarqube allows developers to delint their code before SAST.
Veracode recently introduced it. But this integration at developer Machine integration available for only JAVA coded Projets.
About the Vulnerability coverage, both are the same. OWASP TOP 10 is equal to Sans 25. sans25 is categorized with one category number and describes under that subsection. Refer to this. https://www.templarbit.com/blog/2018/02/08/owasp-top-10-vs-sans-cwe-25/
SonarQube can be used for SAST. However, based on our internal analysis, our team feel CheckMarx is better suited for Security compared to SonarQube. SoanrQube is used in day to day developer code scan and Checkmarx is used during code movement to staging or during release.